Manage Roles

Use the Manage Roles page to create, change, or delete roles. You can also manage role membership and role hierarchy.

The role hierarchy defines a parent-child relationship between an organizational role and its child roles. A child role itself is an organizational role.
The user members of a child role inherit the following attributes from the parent role:
  • The entitlements associated with provisioning policies
  • The permissions associated with the Access Control Items (ACIs)
  • The ability to participate in workflow activities
When a child role is removed from a parent role, the entitlements associated with the parent role might be removed and are no longer inherited by the members of the child role.

You cannot delete a role that has user members or child roles. You must remove all of the users and child roles from the role before you can delete it.

You cannot delete a static role that is associated with a separation of duty policy or a provisioning policy. You must first remove the static role from the role separation list in the policy.

Search information
Type information about the search. If you do not type a value in this field, or if you type an asterisk (*) and click Search, the entire list of search results is displayed if the number of results does not exceed the search limit.
Search by
Select the search category.
  • Role name or description searches for a role with a name or description that contains text that is entered in the Search information field.
  • Business unit searches for a role that is associated with a business unit that contains text that is entered in the Search information field.
Roles table
Lists the roles that match the specified search criteria. To sort the table by a specific column, click the arrow in the column heading. The table contains these columns:
Select
Specifies a role. To select one or more roles, select the check box next to the role. To select all roles, select the check box at the top of the column.
Name
Identifies the name of the role. Click the icon (Context menu icon) next to the role name to display the tasks that can be carried out on the role:
Change
Click to change the role membership or entitlements.
Delete
Click to remove the selected role from the system.
Manage User Members
Click to see which users are members of the selected role, or to manage membership of the selected role.
Manage Child Roles
Click to see which roles are children of the selected role, or to manage membership of the selected role.
Add User Members
Click to add users as members of the selected role. This choice is not available for dynamic roles.
Add Child Roles
Click to add roles as children of the selected role. This choice is not available for dynamic roles.
Manage Provisioning Policies
Click to manage provisioning policies associated with the selected role.
Transfer
You can transfer static and dynamic roles to the business unit that is under the same organization root. Following are a few restrictions for role transfer activity:
  • Roles cannot be transferred across different organization hierarchy.
  • Static and dynamic roles cannot be transferred together.
  • When dynamic roles are transferred, old entitlements might be lost. A user entitlements or membership is recomputed based on the new business unit under which the dynamic role is transferred.
  • Roles to be transferred must contain an Access Control Item (ACI) granted for the Modify operation.
Description
Provides additional information about the role.
Business Unit
Identifies the business unit to which the role applies. Click the link for more information about the business unit.
Role Type
Indicates whether the role is static or dynamic.
Access Status
Access status for the associated role. Access status displays the following values:
Access Enabled
Access is defined and enabled.
Common Access Enabled
Access is defined and enabled as common.
Access Disabled
Access is disabled or undefined.
Access Type
Access type for the associated service.
If the table contains multiple pages, you can:
  • Click the arrow to go to the next page.
  • Type the number of the page that you want to view and click Go.

You can use these buttons:

Create
Click to create a role.
Change
Click to change the role membership or entitlements.
Delete
Click to remove the selected role from the system.
Export Access Data
Click to open the Export Access Data page, and export the role access data. The Export Access Data button is not active until you select some accesses to activate it. Only the role access that you selected are exported.
Import Access Data
Click to open the Import Access Data page to import the access data for a role access. You can also import access data for a set of roles.
Enabled Access
Click to enable access for the selected roles.
Disable Access
Click to disable access for the selected roles.
Refresh
Click to update the list of items in the table.